Browser password manager used to track you, even with tracking blocked

FreedomToTinker:

We show how third-party scripts exploit browsers’ built-in login managers (also called password managers) to retrieve and exfiltrate user identifiers without user awareness. To the best of our knowledge, our research is the first to show that login managers are being abused by third-party scripts for the purposes of web tracking.

To see this for yourself, fire up Safari and go to this demo page.

  • When the page loads, type in a fake email address and a fake password. Don’t use your real info.
  • Click the link at the bottom of the page.
  • Safari will offer to save your password for that site. Click Save.

The demo will then jump to a sniffer page which contains an invisible login form. Safari will helpfully populate the form, and this new demo page will display the sniffed results.

This approach is only possible when a third party has script access to the first-party domain. Thus, our third-party script is only able to recover the credentials you saved for this website (senglehardt.com). It is not possible for us to access credentials for other websites.

So far, your data is visible to a script running on a site with that script installed. The problem is with scripts that run on multiple sites:

We found two scripts using this technique to extract email addresses from login managers on the websites which embed them. These addresses are then hashed and sent to one or more third-party servers. These scripts were present on 1110 of the Alexa top 1 million sites. The process of detecting these scripts is described in our measurement methodology in the Appendix 1. We provide a brief analysis of each script in the sections below.

Bottom line, the scripts are saving hashed (encrypted) versions of surreptitiously harvested login info and comparing it to a saved database of other hashed results. If it finds a match, it knows who you are.

This is all a bit complicated, but my 2 cents, Apple should address this in some way to prevent this form of cross-site tracking.



  • Caleb Hightower

    Agreed.

  • rick gregory

    Misleading headline – this isn’t specific to Safari. But yes, this is an issue and Apple (and other browser vendors) should do what 1Password does and prevent this. https://support.1password.com/kb/201712/

  • Meaux

    This is only new if the original iPhone is new. This issue has been raised as a security vulnerability for over a decade.

    • Introduced in iOS 7 (2013), yes?

      • Meaux

        No it’s been an issue for browsers for 11 years (i.e. older than the iPhone). Academic papers and bug reports on this go back a loooooong time. It’s not a Safari only bug. It’s an issue in Chrome, Firefox and IE too, AFAIK.

        • Ah, so you were just using the iPhone as a time frame rather than saying it was a bug in the original iPhone?

          (Which didn’t do autofill.)

          • Meaux

            Yes. Dave called this method of tracking “new” and I was snarking on that. If an 11 year old security hole is new, so is the original, EDGE only iPhone.

          • Gotcha! Apologies. 🙂